/*
 * #%L
 * Alfresco Repository
 * %%
 * Copyright (C) 2005 - 2016 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
 * the paid license agreement will prevail.  Otherwise, the software is 
 * provided under the following open source license terms:
 * 
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 * 
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 * #L%
 */
package org.alfresco.repo.jscript;

import java.io.Serializable;
import java.text.Collator;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.mozilla.javascript.Context;
import org.mozilla.javascript.Scriptable;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.extensions.surf.util.I18NUtil;
import org.springframework.extensions.surf.util.ParameterCheck;

import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.UserNameGenerator;
import org.alfresco.repo.security.authority.AuthorityDAO;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.repo.security.person.PersonServiceImpl;
import org.alfresco.repo.security.sync.UserRegistrySynchronizer;
import org.alfresco.repo.tenant.TenantDomainMismatchException;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.search.LimitBy;
import org.alfresco.service.cmr.search.PermissionEvaluationMode;
import org.alfresco.service.cmr.search.ResultSet;
import org.alfresco.service.cmr.search.SearchParameters;
import org.alfresco.service.cmr.search.SearchService;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.MutableAuthenticationService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.cmr.security.PersonService.PersonInfo;
import org.alfresco.service.cmr.usage.ContentUsageService;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.Pair;
import org.alfresco.util.PropertyMap;
import org.alfresco.util.ScriptPagingDetails;
import org.alfresco.util.ValueDerivingMapFactory;
import org.alfresco.util.ValueDerivingMapFactory.ValueDeriver;

/**
 * Scripted People service for describing and executing actions against People & Groups.
 * 
 * @author davidc
 * @author kevinr
 */
public class People extends BaseScopableProcessorExtension implements InitializingBean
{
    private static Log logger = LogFactory.getLog(People.class);

    /** Repository Service Registry */
    private ServiceRegistry services;
    private AuthorityDAO authorityDAO;
    private AuthorityService authorityService;
    private PersonService personService;
    private MutableAuthenticationService authenticationService;
    private ContentUsageService contentUsageService;
    private UserNameGenerator usernameGenerator;
    private UserRegistrySynchronizer userRegistrySynchronizer;
    protected TenantService tenantService;

    private StoreRef storeRef;
    private ValueDerivingMapFactory<ScriptNode, String, Boolean> valueDerivingMapFactory;
    private int numRetries = 10;

    private int defaultListMaxResults = 5000;
    private boolean honorHintUseCQ = true;

    protected static final String HINT_CQ_SUFFIX = " [hint:useCQ]";

    public void afterPropertiesSet() throws Exception
    {
        Map<String, ValueDeriver<ScriptNode, Boolean>> capabilityTesters = new HashMap<String, ValueDeriver<ScriptNode, Boolean>>(5);
        capabilityTesters.put("isAdmin", new ValueDeriver<ScriptNode, Boolean>() {
            public Boolean deriveValue(ScriptNode source)
            {
                return isAdmin(source);
            }
        });
        capabilityTesters.put("isGuest", new ValueDeriver<ScriptNode, Boolean>() {
            public Boolean deriveValue(ScriptNode source)
            {
                return isGuest(source);
            }
        });
        capabilityTesters.put("isMutable", new ValueDeriver<ScriptNode, Boolean>() {
            public Boolean deriveValue(ScriptNode source)
            {
                // Check whether the account is mutable according to the authentication service
                String sourceUser = (String) source.getProperties().get(ContentModel.PROP_USERNAME);
                if (!authenticationService.isAuthenticationMutable(sourceUser))
                {
                    return false;
                }
                // Only allow non-admin users to mutate their own accounts
                String currentUser = authenticationService.getCurrentUserName();
                if (currentUser.equals(sourceUser) || authorityService.isAdminAuthority(currentUser))
                {
                    return true;
                }
                return false;
            }
        });
        this.valueDerivingMapFactory = new ValueDerivingMapFactory<ScriptNode, String, Boolean>(capabilityTesters);
    }

    /**
     * Set the default store reference
     * 
     * @param storeRef
     *            the default store reference
     */
    public void setStoreUrl(String storeRef)
    {
        // ensure this is not set again by a script instance
        if (this.storeRef != null)
        {
            throw new IllegalStateException("Default store URL can only be set once.");
        }
        this.storeRef = new StoreRef(storeRef);
    }

    /**
     * Sets the authentication service.
     * 
     * @param authenticationService
     *            the authentication service
     */
    public void setAuthenticationService(MutableAuthenticationService authenticationService)
    {
        this.authenticationService = authenticationService;
    }

    /**
     * Set the service registry
     * 
     * @param serviceRegistry
     *            the service registry
     */
    public void setServiceRegistry(ServiceRegistry serviceRegistry)
    {
        this.services = serviceRegistry;
    }

    /**
     * Set the authority DAO
     *
     * @param authorityDAO
     *            authority dao
     */
    public void setAuthorityDAO(AuthorityDAO authorityDAO)
    {
        this.authorityDAO = authorityDAO;
    }

    /**
     * Set the authority service
     * 
     * @param authorityService
     *            The authorityService to set.
     */
    public void setAuthorityService(AuthorityService authorityService)
    {
        this.authorityService = authorityService;
    }

    /**
     * Set the person service
     * 
     * @param personService
     *            The personService to set.
     */
    public void setPersonService(PersonService personService)
    {
        this.personService = personService;
    }

    /**
     * @param contentUsageService
     *            the ContentUsageService to set
     */
    public void setContentUsageService(ContentUsageService contentUsageService)
    {
        this.contentUsageService = contentUsageService;
    }

    /**
     * @param tenantService
     *            the tenantService to set
     */
    public void setTenantService(TenantService tenantService)
    {
        this.tenantService = tenantService;
    }

    /**
     * Set the user name generator service
     * 
     * @param userNameGenerator
     *            the user name generator
     */
    public void setUserNameGenerator(UserNameGenerator userNameGenerator)
    {
        this.usernameGenerator = userNameGenerator;
    }

    /**
     * Set the UserRegistrySynchronizer
     * 
     * @param userRegistrySynchronizer
     *            UserRegistrySynchronizer
     */
    public void setUserRegistrySynchronizer(UserRegistrySynchronizer userRegistrySynchronizer)
    {
        this.userRegistrySynchronizer = userRegistrySynchronizer;
    }

    public void setDefaultListMaxResults(int defaultListMaxResults)
    {
        this.defaultListMaxResults = defaultListMaxResults;
    }

    /**
     * Allows customers to choose to use Solr or Lucene rather than a canned query in {@link #getPeople(String, int, String, boolean)} when {@code " [hint:useCQ]"} is appended to the search term (currently Share's User Console does this). The down side is that new users may not appear as they will not have been indexed. This is similar to what happened in 4.1.1 prior to MNT-7548 (4.1.2 and 4.1.1.1). The down side of using a canned query at the moment is that there is a bug, so that it is impossible to search for names such as {@code "Carlos Allende García"} where the first or last names may contain spaces. See MNT-9719 for more details. The alfresco global property {@code people.search.honor.hint.useCQ} is used to set this value (default is true).
     */
    public void setHonorHintUseCQ(boolean honorHintUseCQ)
    {
        this.honorHintUseCQ = honorHintUseCQ;
    }

    /**
     * Delete a Person with the given username
     * 
     * @param username
     *            the username of the person to delete
     */
    public void deletePerson(String username)
    {
        personService.deletePerson(username);
    }

    /**
     * Create a Person with an optionally generated user name. This version doesn't notify them.
     * 
     * @param userName
     *            userName or null for a generated user name
     * @param firstName
     *            firstName
     * @param lastName
     *            lastName
     * @param emailAddress
     *            emailAddress
     * @param password
     *            if not null creates a new authenticator with the given password.
     * @param setAccountEnabled
     *            set to 'true' to create enabled user account, or 'false' to create disabled user account for created person.
     * @return the person node (type cm:person) created or null if the person could not be created
     */
    public ScriptNode createPerson(String userName, String firstName, String lastName, String emailAddress, String password, boolean setAccountEnabled)
    {
        return createPerson(userName, firstName, lastName, emailAddress, password, setAccountEnabled, false);
    }

    /**
     * Create a Person with an optionally generated user name
     * 
     * @param userName
     *            userName or null for a generated user name
     * @param firstName
     *            firstName
     * @param lastName
     *            lastName
     * @param emailAddress
     *            emailAddress
     * @param password
     *            if not null creates a new authenticator with the given password.
     * @param setAccountEnabled
     *            set to 'true' to create enabled user account, or 'false' to create disabled user account for created person.
     * @param notifyByEmail
     *            set to 'true' to have the new user emailed to let them know their account details. Only applies if a username and password were supplied.
     * @return the person node (type cm:person) created or null if the person could not be created
     */
    public ScriptNode createPerson(String userName, String firstName, String lastName, String emailAddress,
            String password, boolean setAccountEnabled, boolean notifyByEmail)
    {
        ParameterCheck.mandatory("firstName", firstName);
        ParameterCheck.mandatory("emailAddress", emailAddress);

        ScriptNode person = null;

        // generate user name if not supplied
        if (userName == null)
        {
            for (int i = 0; i < numRetries; i++)
            {
                userName = usernameGenerator.generateUserName(firstName, lastName, emailAddress, i);

                // create person if user name does not already exist
                if (!personService.personExists(userName))
                {
                    break;
                }
            }
        }

        if (userName != null)
        {
            try
            {
                userName = PersonServiceImpl.updateUsernameForTenancy(userName, tenantService);
            }
            catch (TenantDomainMismatchException re)
            {
                throw new AuthenticationException("User must belong to same domain as admin: " + re.getTenantA());
            }

            person = createPerson(userName, firstName, lastName, emailAddress);

            if (person != null && password != null)
            {
                // create account for person with the userName and password
                authenticationService.createAuthentication(userName, password.toCharArray());
                authenticationService.setAuthenticationEnabled(userName, setAccountEnabled);

                person.save();

                if (notifyByEmail)
                {
                    personService.notifyPerson(userName, password);
                }
            }
        }

        return person;
    }

    /**
     * Enable user account. Can only be called by an Admin authority.
     * 
     * @param userName
     *            user name for which to enable user account
     */
    public void enableAccount(String userName)
    {
        if (this.authorityService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()))
        {
            this.authenticationService.setAuthenticationEnabled(userName, true);
        }
    }

    /**
     * Disable user account. Can only be called by an Admin authority.
     * 
     * @param userName
     *            user name for which to disable user account
     */
    public void disableAccount(String userName)
    {
        if (this.authorityService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()))
        {
            this.authenticationService.setAuthenticationEnabled(userName, false);
        }
    }

    /**
     * Return true if the specified user account is enabled.
     * 
     * @param userName
     *            user name to test account
     * 
     * @return true if account enabled, false if disabled
     */
    public boolean isAccountEnabled(String userName)
    {
        return this.authenticationService.getAuthenticationEnabled(userName);
    }

    /**
     * Change the password for the currently logged in user. Old password must be supplied.
     * 
     * @param oldPassword
     *            Old user password
     * @param newPassword
     *            New user password
     */
    public void changePassword(String oldPassword, String newPassword)
    {
        ParameterCheck.mandatoryString("oldPassword", oldPassword);
        ParameterCheck.mandatoryString("newPassword", newPassword);

        this.services.getAuthenticationService().updateAuthentication(
                AuthenticationUtil.getFullyAuthenticatedUser(), oldPassword.toCharArray(), newPassword.toCharArray());
    }

    /**
     * Set a password for the given user. Note that only an administrator can perform this action, otherwise it will be ignored.
     * 
     * @param userName
     *            Username to change password for
     * @param password
     *            Password to set
     */
    public void setPassword(String userName, String password)
    {
        ParameterCheck.mandatoryString("userName", userName);
        ParameterCheck.mandatoryString("password", password);

        MutableAuthenticationService authService = this.services.getAuthenticationService();
        if (this.authorityService.hasAdminAuthority() && (userName.equalsIgnoreCase(authService.getCurrentUserName()) == false))
        {
            authService.setAuthentication(userName, password.toCharArray());
        }
    }

    /**
     * Create a Person with the given user name
     * 
     * @param userName
     *            the user name of the person to create
     * @return the person node (type cm:person) created or null if the user name already exists
     */
    public ScriptNode createPerson(String userName)
    {
        ParameterCheck.mandatoryString("userName", userName);

        ScriptNode person = null;

        PropertyMap properties = new PropertyMap();
        properties.put(ContentModel.PROP_USERNAME, userName);

        if (!personService.personExists(userName))
        {
            NodeRef personRef = personService.createPerson(properties);
            person = new ScriptNode(personRef, services, getScope());
        }

        return person;
    }

    /**
     * Create a Person with the given user name, firstName, lastName and emailAddress
     * 
     * @param userName
     *            the user name of the person to create
     * @return the person node (type cm:person) created or null if the user name already exists
     */
    public ScriptNode createPerson(String userName, String firstName, String lastName, String emailAddress)
    {
        ParameterCheck.mandatoryString("userName", userName);
        ParameterCheck.mandatoryString("firstName", firstName);
        ParameterCheck.mandatoryString("emailAddress", emailAddress);

        ScriptNode person = null;

        PropertyMap properties = new PropertyMap();
        properties.put(ContentModel.PROP_USERNAME, userName);
        properties.put(ContentModel.PROP_FIRSTNAME, firstName);
        properties.put(ContentModel.PROP_LASTNAME, lastName);
        properties.put(ContentModel.PROP_EMAIL, emailAddress);

        if (!personService.personExists(userName))
        {
            NodeRef personRef = personService.createPerson(properties);
            person = new ScriptNode(personRef, services, getScope());
        }

        return person;
    }

    /**
     * Set the content quota in bytes for a person. Only the admin authority can set this value.
     * 
     * @param person
     *            Person to set quota against.
     * @param quota
     *            As a string, in bytes, a value of "-1" means no quota is set
     */
    public void setQuota(ScriptNode person, String quota)
    {
        if (this.authorityService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()))
        {
            this.contentUsageService.setUserQuota((String) person.getProperties().get(ContentModel.PROP_USERNAME), Long.parseLong(quota));
        }
    }

    /**
     * Get the collection of people stored in the repository. An optional filter query may be provided by which to filter the people collection. Space separate the query terms i.e. "john bob" will find all users who's first or second names contain the strings "john" or "bob".
     * 
     * @param filter
     *            filter query string by which to filter the collection of people. If
     * 
     *            <pre>
     *            null
     *            </pre>
     * 
     *            then all people stored in the repository are returned
     * 
     * @deprecated recated see getPeople(filter, maxResults)
     * 
     * @return people collection as a JavaScript array
     */
    public Scriptable getPeople(String filter)
    {
        return getPeople(filter, 0);
    }

    /**
     * Get the collection of people stored in the repository. An optional filter query may be provided by which to filter the people collection. Space separate the query terms i.e. "john bob" will find all users who's first or second names contain the strings "john" or "bob".
     * 
     * @param filter
     *            filter query string by which to filter the collection of people. If
     * 
     *            <pre>
     *            null
     *            </pre>
     * 
     *            then all people stored in the repository are returned
     * @param maxResults
     *            maximum results to return or all if <= 0
     * 
     * @return people collection as a JavaScript array
     */
    public Scriptable getPeople(String filter, int maxResults)
    {
        return getPeople(filter, maxResults, null, true);
    }

    /**
     * Get the collection of people stored in the repository. An optional filter query may be provided by which to filter the people collection. Space separate the query terms i.e. "john bob" will find all users who's first or second names contain the strings "john" or "bob". Method supports sorting by specifying sortBy and sortAsc params.
     * 
     * @param filter
     *            filter query string by which to filter the collection of people. If
     * 
     *            <pre>
     *            null
     *            </pre>
     * 
     *            then all people stored in the repository are returned
     * @param maxResults
     *            maximum results to return or all if <= 0
     * @param sortBy
     *            field for sorting
     * @param sortAsc
     *            sort ascending or not
     * 
     * @return people collection as a JavaScript array
     */
    public Scriptable getPeople(String filter, int maxResults, String sortBy, boolean sortAsc)
    {
        return getPeoplePaging(filter, new ScriptPagingDetails(maxResults, 0), sortBy, Boolean.valueOf(sortAsc));
    }

    public Scriptable getPeoplePaging(String filter, ScriptPagingDetails pagingRequest, String sortBy, Boolean sortAsc)
    {
        List<PersonInfo> persons = getPeopleImpl(filter, pagingRequest, sortBy, sortAsc);

        Object[] peopleRefs = new Object[persons.size()];
        for (int i = 0; i < peopleRefs.length; i++)
        {
            peopleRefs[i] = persons.get(i).getNodeRef();
        }

        return Context.getCurrentContext().newArray(getScope(), peopleRefs);
    }

    protected List<PersonInfo> getPeopleImpl(String filter, ScriptPagingDetails pagingRequest, String sortBy, Boolean sortAsc)
    {
        ParameterCheck.mandatory("pagingRequest", pagingRequest);

        boolean useCQ = false;
        if (filter != null)
        {
            if (filter.endsWith(HINT_CQ_SUFFIX))
            {
                useCQ = honorHintUseCQ;
                filter = filter.substring(0, filter.length() - HINT_CQ_SUFFIX.length());
            }
        }
        else
        {
            filter = "*";
        }

        List<PersonInfo> persons = null;

        int maxResults = pagingRequest.getMaxItems();
        if ((maxResults <= 0) || (maxResults > defaultListMaxResults))
        {
            // remove open-ended query (eg cutoff at default/configurable max, eg. 5000 people)
            maxResults = defaultListMaxResults;
            pagingRequest.setMaxItems(maxResults);
        }

        // In order to use a SOLR/Lucene search, we must have a non-empty filter string - see ALF-18876
        if ((filter == null || filter.trim().isEmpty()) || useCQ)
        {
            persons = getPeopleImplDB(filter, pagingRequest, sortBy, sortAsc);
        }
        else
        {
            filter = filter.trim();

            String term = filter.replace("\"", "");
            String[] tokens = term.split("(?<!\\\\) ");
            int propIndex = term.lastIndexOf(':');
            int wildPosition = term.indexOf('*');

            // simple filter - can use CQ if search fails
            useCQ = ((tokens.length == 1) && (propIndex == -1) && ((wildPosition == -1) || (wildPosition == (term.length() - 1))));

            try
            {
                // FTS
                List<NodeRef> personRefs = getPeopleImplSearch(term, tokens, pagingRequest, sortBy, sortAsc);

                if (personRefs != null)
                {
                    persons = new ArrayList<PersonInfo>(personRefs.size());
                    for (NodeRef personRef : personRefs)
                    {
                        persons.add(personService.getPerson(personRef));
                    }
                }
            }
            catch (Throwable err)
            {
                if (useCQ)
                {
                    // search unavailable and/or parser exception - try CQ instead
                    // simple non-FTS filter: firstname or lastname or username starting with term (ignoring case)
                    persons = getPeopleImplDB(filter, pagingRequest, sortBy, sortAsc);
                }
            }
        }

        return (persons != null ? persons : new ArrayList<PersonInfo>(0));
    }

    // canned query
    protected List<PersonInfo> getPeopleImplDB(String filter, ScriptPagingDetails pagingRequest, String sortBy, Boolean sortAsc)
    {
        List<QName> filterProps = null;

        if ((filter != null) && (filter.length() > 0))
        {
            filter = filter.trim();
            if (!filter.equals("*"))
            {
                filter = filter.replace("\\", "").replace("\"", "");

                // simple non-FTS filter: firstname or lastname or username starting with term (ignoring case)

                filterProps = new ArrayList<QName>(3);
                filterProps.add(ContentModel.PROP_FIRSTNAME);
                filterProps.add(ContentModel.PROP_LASTNAME);
                filterProps.add(ContentModel.PROP_USERNAME);
            }
        }

        // Build the sorting. The user controls the primary sort, we supply
        // additional ones automatically
        List<Pair<QName, Boolean>> sort = new ArrayList<Pair<QName, Boolean>>();
        if ("lastName".equals(sortBy))
        {
            sort.add(new Pair<QName, Boolean>(ContentModel.PROP_LASTNAME, sortAsc));
            sort.add(new Pair<QName, Boolean>(ContentModel.PROP_FIRSTNAME, sortAsc));
            sort.add(new Pair<QName, Boolean>(ContentModel.PROP_USERNAME, sortAsc));
        }
        else if ("firstName".equals(sortBy))
        {
            sort.add(new Pair<QName, Boolean>(ContentModel.PROP_FIRSTNAME, sortAsc));
            sort.add(new Pair<QName, Boolean>(ContentModel.PROP_LASTNAME, sortAsc));
            sort.add(new Pair<QName, Boolean>(ContentModel.PROP_USERNAME, sortAsc));
        }
        else
        {
            sort.add(new Pair<QName, Boolean>(ContentModel.PROP_USERNAME, sortAsc));
            sort.add(new Pair<QName, Boolean>(ContentModel.PROP_FIRSTNAME, sortAsc));
            sort.add(new Pair<QName, Boolean>(ContentModel.PROP_LASTNAME, sortAsc));
        }

        return personService.getPeople(filter, filterProps, sort, pagingRequest).getPage();
    }

    // search query
    protected List<NodeRef> getPeopleImplSearch(String term, String[] tokens, ScriptPagingDetails pagingRequest, String sortBy, Boolean sortAsc) throws Throwable
    {
        List<NodeRef> personRefs = null;

        Long start = (logger.isDebugEnabled() ? System.currentTimeMillis() : null);

        int propIndex = term.indexOf(':');

        int maxResults = pagingRequest.getMaxItems();
        int skipCount = pagingRequest.getSkipCount();

        SearchParameters params = new SearchParameters();
        params.addQueryTemplate("_PERSON", "|%firstName OR |%lastName OR |%userName");
        params.setDefaultFieldName("_PERSON");
        params.setExcludeTenantFilter(getExcludeTenantFilter());
        params.setPermissionEvaluation(getPermissionEvaluationMode());

        StringBuilder query = new StringBuilder(256);

        query.append("TYPE:\"").append(ContentModel.TYPE_PERSON).append("\" AND (");

        if (tokens.length == 1)
        {
            // single word with no field will go against _PERSON and expand

            // fts-alfresco property search i.e. location:"maidenhead"
            query.append(term.substring(0, propIndex + 1)).append('"');
            if (propIndex < 0)
            {
                query.append('*');
            }
            query.append(term.substring(propIndex + 1));
            if (propIndex > 0)
            {
                query.append('"');
            }
            else
            {
                query.append("*\"");
            }
        }
        else
        {
            // scan for non-fts-alfresco property search tokens
            int nonFtsTokens = 0;
            for (String token : tokens)
            {
                if (token.indexOf(':') == -1)
                    nonFtsTokens++;
            }
            tokens = term.split("(?<!\\\\) ");

            // multiple terms supplied - look for first and second name etc.
            // also allow fts-alfresco property search to reduce results
            params.setDefaultOperator(SearchParameters.Operator.AND);
            boolean propertySearch = false;
            StringBuilder multiPartNames = new StringBuilder(tokens.length);
            boolean firstToken = true;
            for (String token : tokens)
            {
                if (!propertySearch && token.indexOf(':') == -1)
                {
                    if (nonFtsTokens == 1)
                    {
                        // simple search: first name, last name and username
                        // starting with term
                        query.append("_PERSON:\"*");
                        query.append(token);
                        query.append("*\" ");
                    }
                    else
                    {
                        // ALF-11311, in order to support multi-part firstNames/lastNames,
                        // we need to use the whole tokenized term for both
                        // firstName and lastName
                        if (token.endsWith("*"))
                        {
                            token = token.substring(0, token.lastIndexOf("*"));
                        }
                        multiPartNames.append("\"*");
                        multiPartNames.append(token);
                        multiPartNames.append("*\"");
                        if (firstToken)
                        {
                            multiPartNames.append(' ');
                        }
                        firstToken = false;
                    }
                }
                else
                {
                    // fts-alfresco property search i.e. "location:maidenhead"
                    propIndex = token.lastIndexOf(':');
                    query.append(token.substring(0, propIndex + 1)).append('"')
                            .append(token.substring(propIndex + 1)).append('"').append(' ');

                    propertySearch = true;
                }
            }
            // ALF-11311, in order to support multi-part firstNames/lastNames,
            // we need to use the whole tokenized term for both firstName and lastName.
            // e.g. "john junior lewis martinez", where "john junior" is the first
            // name and "lewis martinez" is the last name.
            if (multiPartNames.length() > 0)
            {
                query.append("firstName:");
                query.append(multiPartNames);
                query.append(" OR lastName:");
                query.append(multiPartNames);
            }
        }
        query.append(")");

        // define the search parameters
        params.setLanguage(SearchService.LANGUAGE_FTS_ALFRESCO);
        params.addStore(this.storeRef);
        params.setQuery(query.toString());

        if (logger.isDebugEnabled())
        {
            if ((sortBy != null) && (!sortBy.isEmpty()))
            {
                logger.debug("getPeopleImplSearch: ignoring sortBy (" + sortBy + ")- not yet supported by model for search");
            }
        }

        /* not yet supported (default property index tokenisation mode = true) if ("lastName".equals(sortBy)) { params.addSort("@{http://www.alfresco.org/model/content/1.0}lastName", sortAsc); params.addSort("@{http://www.alfresco.org/model/content/1.0}firstName", sortAsc); params.addSort("@{http://www.alfresco.org/model/content/1.0}userName", sortAsc); } else if ("firstName".equals(sortBy)) { params.addSort("@{http://www.alfresco.org/model/content/1.0}firstName", sortAsc); params.addSort("@{http://www.alfresco.org/model/content/1.0}lastName", sortAsc); params.addSort("@{http://www.alfresco.org/model/content/1.0}userName", sortAsc); } else { params.addSort("@{http://www.alfresco.org/model/content/1.0}userName", sortAsc); params.addSort("@{http://www.alfresco.org/model/content/1.0}firstName", sortAsc); params.addSort("@{http://www.alfresco.org/model/content/1.0}userName", sortAsc); } */

        if (maxResults > 0)
        {
            params.setLimitBy(LimitBy.FINAL_SIZE);
            params.setLimit(maxResults);
        }

        if (skipCount > 0)
        {
            params.setSkipCount(skipCount);
        }

        ResultSet results = null;
        try
        {
            results = services.getSearchService().query(params);

            personRefs = getSortedPeopleObjects(results.getNodeRefs(), sortBy, sortAsc);

            if (start != null)
            {
                logger.debug("getPeople: search - " + personRefs.size() + " items (in " + (System.currentTimeMillis() - start) + " msecs)");
            }
        }
        catch (Throwable err)
        {
            if (logger.isDebugEnabled())
            {
                logger.debug("Failed to execute people search: " + query.toString(), err);
            }

            throw err;
        }
        finally
        {
            if (results != null)
            {
                results.close();
            }
        }

        return personRefs;
    }

    private List<NodeRef> getSortedPeopleObjects(List<NodeRef> peopleRefs, final String sortBy, Boolean sortAsc)
    {
        if (sortBy == null)
        {
            return peopleRefs;
        }

        // make copy of peopleRefs because it can be unmodifiable list.
        List<NodeRef> sortedPeopleRefs = new ArrayList<NodeRef>(peopleRefs);
        final Collator col = Collator.getInstance(I18NUtil.getLocale());
        final NodeService nodeService = services.getNodeService();
        final int orderMultiplicator = ((sortAsc == null) || sortAsc) ? 1 : -1;
        Collections.sort(sortedPeopleRefs, new Comparator<NodeRef>() {
            @Override
            public int compare(NodeRef n1, NodeRef n2)
            {
                Serializable p1 = getProperty(n1);
                Serializable p2 = getProperty(n2);

                if ((p1 instanceof Long) && (p2 instanceof Long))
                {
                    return Long.compare((Long) p1, (Long) p2) * orderMultiplicator;
                }

                return col.compare(p1.toString(), p2) * orderMultiplicator;
            }

            public Serializable getProperty(NodeRef nodeRef)
            {
                Serializable result;

                if ("fullName".equalsIgnoreCase(sortBy))
                {
                    String firstName = (String) nodeService.getProperty(nodeRef, ContentModel.PROP_FIRSTNAME);
                    String lastName = (String) nodeService.getProperty(nodeRef, ContentModel.PROP_LASTNAME);
                    String fullName = firstName;
                    if (lastName != null && lastName.length() > 0)
                    {
                        fullName = fullName + " " + lastName;
                    }

                    result = fullName;
                }
                else if ("jobtitle".equalsIgnoreCase(sortBy))
                {
                    result = nodeService.getProperty(nodeRef, ContentModel.PROP_JOBTITLE);
                }
                else if ("email".equalsIgnoreCase(sortBy))
                {
                    result = nodeService.getProperty(nodeRef, ContentModel.PROP_EMAIL);
                }
                else if ("usage".equalsIgnoreCase(sortBy))
                {
                    result = nodeService.getProperty(nodeRef, ContentModel.PROP_SIZE_CURRENT);
                }
                else if ("quota".equalsIgnoreCase(sortBy))
                {
                    result = nodeService.getProperty(nodeRef, ContentModel.PROP_SIZE_QUOTA);
                }
                else
                {
                    // Default
                    result = nodeService.getProperty(nodeRef, ContentModel.PROP_USERNAME);
                }

                if (result == null)
                {
                    result = "";
                }

                return result;
            }

        });

        return sortedPeopleRefs;
    }

    /**
     * Gets the Person given the username
     * 
     * @param username
     *            the username of the person to get
     * @return the person node (type cm:person) or null if no such person exists
     */
    public ScriptNode getPerson(final String username)
    {
        NodeRef personRef = null;

        ParameterCheck.mandatory("Username", username);
        try
        {
            personRef = personService.getPersonOrNull(username);
        }
        catch (AccessDeniedException e)
        {
            // ok, just return null to indicate not found
        }

        return personRef == null ? null : new ScriptNode(personRef, services, getScope());
    }

    /**
     * Faster helper when the script just wants to build the Full name for a person. Avoids complete getProperties() retrieval for a cm:person.
     * 
     * @param username
     *            the username of the person to get Full name for
     * @return full name for a person or null if the user does not exist in the system.
     */
    public String getPersonFullName(final String username)
    {
        String name = null;
        ParameterCheck.mandatoryString("Username", username);
        final NodeRef personRef = personService.getPersonOrNull(username);
        if (personRef != null)
        {
            final NodeService nodeService = services.getNodeService();
            final String firstName = (String) nodeService.getProperty(personRef, ContentModel.PROP_FIRSTNAME);
            final String lastName = (String) nodeService.getProperty(personRef, ContentModel.PROP_LASTNAME);
            name = (firstName != null ? firstName + " " : "") + (lastName != null ? lastName : "");
        }
        return name;
    }

    /**
     * Gets the Group given the group name
     * 
     * @param groupName
     *            name of group to get
     * @return the group node (type usr:authorityContainer) or null if no such group exists
     */
    public ScriptNode getGroup(String groupName)
    {
        ParameterCheck.mandatoryString("GroupName", groupName);
        ScriptNode group = null;
        NodeRef groupRef = authorityDAO.getAuthorityNodeRefOrNull(groupName);
        if (groupRef != null)
        {
            group = new ScriptNode(groupRef, services, getScope());
        }
        return group;
    }

    /**
     * Deletes a group from the system.
     * 
     * @param group
     *            The group to delete
     */
    public void deleteGroup(ScriptNode group)
    {
        ParameterCheck.mandatory("Group", group);
        if (group.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
        {
            String groupName = (String) group.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            authorityService.deleteAuthority(groupName);
        }
    }

    /**
     * Create a new root level group with the specified unique name
     * 
     * @param groupName
     *            The unique group name to create - NOTE: do not prefix with "GROUP_"
     * 
     * @return the group reference if successful or null if failed
     */
    public ScriptNode createGroup(String groupName)
    {
        return createGroup(null, groupName);
    }

    /**
     * Create a new group with the specified unique name
     * 
     * @param parentGroup
     *            The parent group node - can be null for a root level group
     * @param groupName
     *            The unique group name to create - NOTE: do not prefix with "GROUP_"
     * 
     * @return the group reference if successful or null if failed
     */
    public ScriptNode createGroup(ScriptNode parentGroup, String groupName)
    {
        ParameterCheck.mandatoryString("GroupName", groupName);

        ScriptNode group = null;

        String actualName = services.getAuthorityService().getName(AuthorityType.GROUP, groupName);
        if (authorityService.authorityExists(actualName) == false)
        {
            String result = authorityService.createAuthority(AuthorityType.GROUP, groupName);
            if (parentGroup != null)
            {
                String parentGroupName = (String) parentGroup.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
                if (parentGroupName != null)
                {
                    authorityService.addAuthority(parentGroupName, actualName);
                }
            }
            group = getGroup(result);
        }

        return group;
    }

    /**
     * Add an authority (a user or group) to a group container as a new child
     * 
     * @param parentGroup
     *            The parent container group
     * @param authority
     *            The authority (user or group) to add
     */
    public void addAuthority(ScriptNode parentGroup, ScriptNode authority)
    {
        ParameterCheck.mandatory("Authority", authority);
        ParameterCheck.mandatory("ParentGroup", parentGroup);
        if (parentGroup.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
        {
            String parentGroupName = (String) parentGroup.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            String authorityName;
            if (authority.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
            {
                authorityName = (String) authority.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            }
            else
            {
                authorityName = (String) authority.getProperties().get(ContentModel.PROP_USERNAME);
            }
            authorityService.addAuthority(parentGroupName, authorityName);
        }
    }

    /**
     * Remove an authority (a user or group) from a group
     * 
     * @param parentGroup
     *            The parent container group
     * @param authority
     *            The authority (user or group) to remove
     */
    public void removeAuthority(ScriptNode parentGroup, ScriptNode authority)
    {
        ParameterCheck.mandatory("Authority", authority);
        ParameterCheck.mandatory("ParentGroup", parentGroup);
        if (parentGroup.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
        {
            String parentGroupName = (String) parentGroup.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            String authorityName;
            if (authority.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
            {
                authorityName = (String) authority.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            }
            else
            {
                authorityName = (String) authority.getProperties().get(ContentModel.PROP_USERNAME);
            }
            authorityService.removeAuthority(parentGroupName, authorityName);
        }
    }

    /**
     * Gets the members (people) of a group (including all sub-groups)
     * 
     * @param group
     *            the group to retrieve members for
     *
     * @return members of the group as a JavaScript array
     */
    public Scriptable getMembers(ScriptNode group)
    {
        ParameterCheck.mandatory("Group", group);
        Object[] members = getContainedAuthorities(group, AuthorityType.USER, true);
        return Context.getCurrentContext().newArray(getScope(), members);
    }

    /**
     * Gets the members (people) of a group
     * 
     * @param group
     *            the group to retrieve members for
     * @param recurse
     *            recurse into sub-groups
     * 
     * @return the members of the group as a JavaScript array
     */
    public Scriptable getMembers(ScriptNode group, boolean recurse)
    {
        ParameterCheck.mandatory("Group", group);
        Object[] members = getContainedAuthorities(group, AuthorityType.USER, recurse);
        return Context.getCurrentContext().newArray(getScope(), members);
    }

    /**
     * Gets the groups that contain the specified authority
     * 
     * @param person
     *            the user (cm:person) to get the containing groups for
     * 
     * @return the containing groups as a JavaScript array
     */
    public Scriptable getContainerGroups(ScriptNode person)
    {
        ParameterCheck.mandatory("Person", person);
        Object[] parents = null;
        Set<String> authorities = this.authorityService.getContainingAuthoritiesInZone(
                AuthorityType.GROUP,
                (String) person.getProperties().get(ContentModel.PROP_USERNAME),
                AuthorityService.ZONE_APP_DEFAULT, null, 1000);
        parents = new Object[authorities.size()];
        int i = 0;
        for (String authority : authorities)
        {
            ScriptNode group = getGroup(authority);
            if (group != null)
            {
                parents[i++] = group;
            }
        }
        return Context.getCurrentContext().newArray(getScope(), parents);
    }

    /**
     * Return true if the specified user is an Administrator authority.
     * 
     * @param person
     *            to test
     * 
     * @return true if an admin, false otherwise
     */
    public boolean isAdmin(ScriptNode person)
    {
        ParameterCheck.mandatory("Person", person);
        return this.authorityService.isAdminAuthority((String) person.getProperties().get(ContentModel.PROP_USERNAME));
    }

    /**
     * Return true if the specified user is an guest authority.
     * 
     * @param person
     *            to test
     * 
     * @return true if an admin, false otherwise
     */
    public boolean isGuest(ScriptNode person)
    {
        ParameterCheck.mandatory("Person", person);
        return this.authorityService.isGuestAuthority((String) person.getProperties().get(ContentModel.PROP_USERNAME));
    }

    /**
     * Gets a map of capabilities (boolean assertions) for the given person.
     * 
     * @param person
     *            the person
     * @return the capability map
     */
    public Map<String, Boolean> getCapabilities(final ScriptNode person)
    {
        ParameterCheck.mandatory("Person", person);
        Map<String, Boolean> retVal = new ScriptableHashMap<String, Boolean>();
        retVal.putAll(this.valueDerivingMapFactory.getMap(person));
        return retVal;
    }

    /**
     * Return a map of the Person properties that are marked as immutable for the given user. This enables a script to interogate which properties are dealt with by an external system such as LDAP and should not be mutable in any client UI.
     * 
     * @param username
     *            String
     *
     * @return ScriptableHashMap
     */
    public ScriptableHashMap getImmutableProperties(String username)
    {
        Set<QName> props = userRegistrySynchronizer.getPersonMappedProperties(username);
        ScriptableHashMap propMap = new ScriptableHashMap();
        for (QName prop : props)
        {
            propMap.put(prop.toString(), Boolean.TRUE);
        }
        return propMap;
    }

    /**
     * Get Contained Authorities
     * 
     * @param container
     *            authority containers
     * @param type
     *            authority type to filter by
     * @param recurse
     *            recurse into sub-containers
     * 
     * @return contained authorities
     */
    private Object[] getContainedAuthorities(ScriptNode container, AuthorityType type, boolean recurse)
    {
        Object[] members = null;

        if (container.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
        {
            String groupName = (String) container.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            Set<String> authorities = authorityService.getContainedAuthorities(type, groupName, !recurse);
            members = new Object[authorities.size()];
            int i = 0;
            for (String authority : authorities)
            {
                AuthorityType authorityType = AuthorityType.getAuthorityType(authority);
                if (authorityType.equals(AuthorityType.GROUP))
                {
                    ScriptNode group = getGroup(authority);
                    if (group != null)
                    {
                        members[i++] = group;
                    }
                }
                else if (authorityType.equals(AuthorityType.USER))
                {
                    ScriptNode person = getPerson(authority);
                    if (person != null)
                    {
                        members[i++] = person;
                    }
                }
            }
        }

        return members != null ? members : new Object[0];
    }

    public boolean getExcludeTenantFilter()
    {
        return false;
    }

    public PermissionEvaluationMode getPermissionEvaluationMode()
    {
        return PermissionEvaluationMode.EAGER;
    }
}
